Abuse Message - Hetzner


#1

Hello,
So i keep receiving the following:

We received a security alert from the German Federal Office for Information Security (BSI).
Please see the original report included below for details.

Please investigate and solve the reported issue.
It is not required that you reply to either us or the BSI.
If the issue has been fixed successfully, you should not receive any further notifications.

Additional information is provided with the HOWTOs referenced in the report.
In case of further questions, please contact certbund @ bsi.bund and keep the
ticket number of the original report [CB-Report#…] in the subject line.
Do not reply <reports @ reports.cert-bund> as this is just the sender address for the
reports and messages sent to this address will not be read.

Kind regards

Abuse team

On ** Nov :, reports.cert-bund wrote:

Dear Sir or Madam,

the Simple Service Discovery Protocol (SSDP) is a network protocol
for advertisement and discovery of network services and presence
information. SSDP is the basis of the discovery protocol of
Universal Plug and Play (UPnP). SSDP uses port 1900/udp.

Over the past months, systems responding to SSDP requests from
anywhere on the Internet have been increasingly abused for DDoS
reflection attacks against third parties.

Please find below a list of affected systems hosted on your network.
The timestamp (timezone UTC) indicates when the openly accessible
SSDP server was identified.

We would like to ask you to check this issue and take appropriate
steps to secure the SSDP services on the affected systems or
notify your customers accordingly.

If you have recently solved the issue but received this notification
again, please note the timestamp included below. You should not
receive any further notifications with timestamps after the issue
has been solved.

Additional information on this notification, advice on how to fix
reported issues and answers to frequently asked questions:

This message is digitally signed using PGP. Information on the
signature key is available at the aforementioned URL.

Please note:
This is an automatically generated message. Replies to the
sender address <reports.cert-bund> will NOT be read
but silently be discarded. In case of questions, please contact
[email protected] and keep the ticket number [CB-Report#…]
of this message in the subject line.

!! Please make sure to consult our HOWTOs and FAQ available at
!!

======================================================================

Betroffene Systeme in Ihrem Netzbereich:
Affected systems on your network:

Format: ASN | IP address | Timestamp (UTC) | SSDP server
24940 |... | 2017-11-** ::** | UPnP/1.0 DLNADOC/1.50 Platinum/1.0.5.13

Mit freundlichen Gren / Kind regards
Team CERT-Bund

Bundesamt fr Sicherheit in der Informationstechnik (BSI)
Federal Office for Information Security
Referat CK22 - CERT-Bund
Godesberger Allee 185-189, D-53175 Bonn, Germany

I did read some other topics and i have already disable DLNA and GDM on plex using the plex interface.

On my quickbox i have installed : rutorrent, CSF, Plex, plexPy, Radarr, Sonarr

So, anyone has any idea how to fix this? I keep getting the same abuse message every day
Thanks!


#2

Hello,
I am Hetzner and I had the same problem as you. Question, do you have your firewall activated?
I solved this problem by activating the firewall and authorizing only the necessary ports. Because it seems that it is the port 24940 which poses problem for you. And indeed it is indeed DLNA. Since you have CSF installed, try blocking the port in addition to having it disabled in the Plex interface.


#3

simply turn off the dlna in plex and you should be fine.


#4

You should block port 1900. It first stopped with the emails after i blocked that port. Tried turning of dlna and other stuff, but didnt work.

Maybe look at ufw firewall


#5

Like the man said -turn off :slight_smile: